Twitter acknowledged the attack affecting its website early this morning, issuing a patch for the exploit several hours later.
Numerous security vendors confirmed the XSS attack, including Sean-Paul Correll at Panda Labs.
“This particular vulnerability took advantage of the onmouseover function in JavaScript, which works by executing JavaScript code by simply moving your mouse over some text”, he noted in a blog posting.
Correll said this attack could have been “nasty in the hands of skilled cyber criminal”, as anyone visiting a profile could have been redirected to another website, one that possibly served up malicious code.
It appears that only the actual Twitter website was affected by the XSS attack, as Sophos’ Graham Cluley recommended earlier in the day that tweeters might be safer accessing the service via third-party clients, such as mobile Twitter apps.
Nevertheless, the company’s senior technology consultant kept his sense of humor about the incident: “Would this be an inappropriate time to say you can follow me on Twitter at @gcluley...? Possibly.”